[OpenID] Combining Google & Yahoo user experience research

Allen Tom atom at yahoo-inc.com
Tue Oct 14 06:56:29 UTC 2008


Chris Messina wrote:
> So many sites (in the wild) now immediately ask you for your email 
> address after you sign up with OpenID that it seems counter-productive 
> NOT to support email addresses... especially since they often require 
> you to confirm your email address via token (which, if it were part of 
> the OpenID spec, could be done entirely within the browser).
+1
I think there's a very interesting opportunity to use OpenID as a 
browser based email verification protocol. The emphasis is on verifying 
the user's email, not signing in. There are plenty of use cases where 
websites need a verified email address, and OpenID could be used to 
streamline this process and to increase the success rate. (many studies 
show that there is a huge failure rate for email verification)

For instance, many websites require a verified email address to 
register. This process could be greatly streamlined using OpenID if the 
RP trusted the OP to verify the user's email address. This would not 
require the site to "accept" OpenID for SSO, but it does allow the site 
to streamline its existing registration process.

Another scenario is the password reset use case.  Many websites will 
reset a password by sending a secret to the user's verified email. This 
process could be streamlined by allowing the password to reset if the 
user is able to generate an OpenID assertion for the email address. 
Obviously, the RP *really* needs to trust the OP in this case.

Websites that want to accept OpenID already have an existing 
Login/Registration/PasswordRecovery system, and they need to graft 
OpenID on top of it. Defining a new "Email Verification" use case that 
is strictly focused on email verification could be the way that we get 
OpenID in the door, as implementing a light weight email verification 
protocol (and not SSO) is probably a pretty easy sell, assuming that the 
email verification UX is much better than actually emailing a secret to 
the user.

As far as privacy is concerned, again, this is an email verification 
protocol, so the user is already giving their email address to the RP 
for the purposes of having it verified.

Allen








More information about the general mailing list